Analytics

4/20/2007
07:00 AM
50%
50%

Want Turns to Need

Software security is no longer an emerging discipline, and here's why enterprises should care

Software security (also known as application security to some) is less than a decade old. In 1999 when I began to write "Building Secure Software" with John Viega, there were no books and only a few articles for software developers and architects interested in building in security. Lots of tomes and titles now fill the software security bookshelf.

Not surprisingly, software security is now considered a real subsector of computer security and is even tracked by analysts. The Yankee Group estimates that the entire market is worth between $250-275 million, numbers that jive with my own breakdown of the space.

As software security grows from a nice-to-have into a necessity, many companies are trying to determine how to get started. A quick look over the space can provide some answers.

Bigger Toolbox
Last year, the combined software security tools market earned between $90-$100 million. Most of this revenue was earned by black box testing tools, especially those tools created specifically for testing Web software. Black box testing tool vendors earned between $58-$70 million. The leader in the Web application security testing space is Watchfire, which earned close to $30 million last year. The other strong competitor, SPI Dynamics, earned just over $18 million. Lesser companies in the space including Cenzic, Codenomicon, and the like, earned another $10 million or so between them.

My view of black box testing tools, which I call "badness-ometers," is well known. In brief, badness-ometers are great for helping identify and highlight the software security problem -- just don't treat them as security meters. As such, I'm pleased that the market for these tools is robust, having doubled last year and continuing with similar growth into 2007. The best aspect of these tools is that they help companies and developers understand that their software is broken -- an essential activity in a new market like software security. Once this realization hits home, these companies are well positioned to take advantage of code analysis tools and other software security professional services.

If your company has yet to come to grips with software security, a black box testing tool may be just what the doctor ordered. On good days, these tools can find very serious problems with very little up front investment, and in many organizations, identifying the problem is often half the battle.

As badness-ometers continue to spread, they drive demand for solutions that do more than identify the problem. Source-code analysis tools speak to this demand. Last year, code scanners earned around $20 million (more than doubling the 2005 revenue). This market is dominated by Fortify, which earned 10 times more than its closest remaining competitor, Ounce Labs. (Fortify acquired some of the assets of Secure Software early this year.) Klokworks and Coverity, which sell closely related tools, tend to focus more on software quality than software security, so I don't count their revenue in this analysis.

Code scanning tools are often very reasonable places to start for development groups that want to tackle the software security problem, especially in shops that are code intensive.

Services Uptick
Tools like software security testing tools and source code analysis tools don't run themselves, nor do they provide a silver bullet for the software security problem. All told, the software security services market is worth anywhere from $80-$120 million. SPI-Dynamics and Watchfire's offerings are simple and powerful enough to be wielded by workaday testers and developers, but more complex tools work much more effectively when they are properly integrated into an organization.

Large consultancies such as IBM Global Services, Cybertrust, Symantec, and Ernst & Young focus their software security activities on application penetration testing services. Ultimately, these are badness-ometer services. In many cases, they rely on running and reporting the results of a Web application security testing tool.

Boutique consulting shops such as Foundstone and Cigital focus more attention on getting inside the code. These consultancies wield source code scanners, provide training, and also perform architectural risk analysis.

In 2006, services surrounding more complete software security initiatives at the enterprise level came into vogue. These large scale initiatives include training for thousands of developers, the creation of enterprise-specific knowledge and guidance, and the integration of software security best practices (which I call the touchpoints) into the software development lifecycle.

Overcoming Denial
Software security is quickly becoming a business necessity. As I described in last month's column, SOX and PCI compliance activities serve to help corporations better understand their software risk. (See Compliance As Kick-Starter.) Because the impact of software failure (maliciously caused or otherwise) is great, many corporations are already working diligently on software security.

There are many ways to get started. Those corporations serious about tackling the problem -- that is, those corporations with staggering amounts of software security risk -- take on a multi-year enterprise software security initiatives. Microsoft has made plenty of noise and progress with its Trustworthy Computing initiative. Other ISVs, including Oracle and Cisco, are rushing to catch up even as their customers begin to ask hard questions about product security. The financial vertical leads the pack among non-ISV corporations with large scale initiatives underway. The first step in any large initiative is creating a plan based on best practices. Such plans almost always include a heavy training component.

A large initiative may be too much to bite off at once, especially if your company has yet to come to grips with the business reality of the problem. In these cases, getting started with a simple badness-ometer tool is often helpful. These tools can produce eye-opening results of the "oh darn" variety, which in turn provide excellent ammunition to counter challengers who claim "our software is just fine."

Another alternative is hiring a security team to analyze a critical application. The deeper the analysis, the better the results will be; but even a quick and dirty penetration test can serve to get the ball rolling.

Training also makes a great starting point, especially if it is focused on developers and architects. The trick to successful software security training is to make sure that whoever develops and delivers it is a bona fide software person. Years of security of experience will not help without deep knowledge of C, C++, Java, and software architecture. Developers only listen to their own kind.

No matter what the route, there is no longer any excuse to put off software security. Customers are becoming aware of the problem, regulations demand real solutions, and the reactive network security hacks of the past consistently fail.

Computer security spent many years in a reactive stance, with vendors inventing and peddling band-aid solutions like firewalls, antivirus tools, and intrusion detection engines. Only recently has the stark reality of security begun to sink in. We have no alternative but to build security into the software that we depend on to run the modern world.

Gary McGraw is CTO of Cigital Inc. Special to Dark Reading

  • Cenzic
  • Cisco Systems Inc. (Nasdaq: CSCO)
  • Codenomicon Ltd.
  • Coverity Inc.
  • Cybertrust
  • Ernst & Young International
  • Fortify Software Inc.
  • IBM Global Services
  • Microsoft Corp. (Nasdaq: MSFT)
  • Oracle Corp. (Nasdaq: ORCL)
  • Ounce Labs
  • SPI Dynamics
  • Secure Software Inc.
  • Symantec Corp. (Nasdaq: SYMC)
  • Watchfire Corp.

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Valentine's Emails Laced with Gandcrab Ransomware
    Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
    High Stress Levels Impacting CISOs Physically, Mentally
    Jai Vijayan, Freelance writer,  2/14/2019
    Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
    Curtis Franklin Jr., Senior Editor at Dark Reading,  2/14/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    5 Emerging Cyber Threats to Watch for in 2019
    Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
    Flash Poll
    How Enterprises Are Attacking the Cybersecurity Problem
    How Enterprises Are Attacking the Cybersecurity Problem
    Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-8948
    PUBLISHED: 2019-02-20
    PaperCut MF before 18.3.6 and PaperCut NG before 18.3.6 allow script injection via the user interface, aka PC-15163.
    CVE-2019-8950
    PUBLISHED: 2019-02-20
    The backdoor account dnsekakf2$$ in /bin/login on DASAN H665 devices with firmware 1.46p1-0028 allows an attacker to login to the admin account via TELNET.
    CVE-2019-8942
    PUBLISHED: 2019-02-20
    WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image c...
    CVE-2019-8943
    PUBLISHED: 2019-02-20
    WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring...
    CVE-2019-8944
    PUBLISHED: 2019-02-20
    An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files.